In a communications system, policy control is an indispensable function of various core network-devices (such as a router, a switch, and a gateway). As shown in FIG. 1, a user configures multiple policy rules by using a configuration interface or a specific policy script or by other means, and delivers the policy rules to a device, and the device processes multiple services on the device based on the policy rules.
On the current network devices, and in particular, there are more and more service applications on devices such as a router, a switch, and a gateway, for example, application delivery control (ADC), wide area network (WAN) optimization control (WOC), deep packet inspection (DPI), intrusion prevention system (IPS), and uniform resource locator filter (URLF) service applications. The number and types of policy rules corresponding to various service applications are also increasing continuously. With the increase of the complexity of service rules, a policy processing method is faced with challenges in device performance and reliability.
As shown in FIG. 2, the execution of a policy rule in the prior art includes the following steps: packet processing (policy-related information collection), condition matching, rule verification, and action execution. After a device receives packet data, the device first performs layer 1 to layer 7 data processing on the received packet data, which generally includes disassembling a packet, extracting packet header information of various layers, and extracting layer 7 protocol field information; then the device verifies the collected information according to policy conditions, and if any condition is satisfied, a rule verifying module is triggered to perform rule matching; and if a policy rule is matched, a corresponding service action is executed. If different services require different packet processing, special processing of a part of packets may be included.
In the prior art, when duplicate information exists in packet information required by various services, duplicate service processing procedures exist. For example, the IPS, URLF, and ADC all require that condition matching should be performed on Uniform/Universal Resource Locator (URL) information. In this case, in each service, the condition matching process is duplicated, and the rule verification process is also duplicated. In addition, sometimes duplicate and redundant processes also exist in packet processing. For example, when the IPS requires scanning of data of an entire packet, and the URLF requires scanning of only a URL field, while the ADC requires scanning of only Hyper Text Transfer Protocol (HTTP) packet header data, the packet is generally processed independently in the IPS, URLF, and ADC services in the prior art, which means that the packet is scanned for multiple times. Even if the prior art is used, duplicate operations may exist in the steps of packet processing, condition matching, and rule matching. Because many duplicate operations exist, service performance deteriorates on devices that have complex policies and multiple services.